adventuresinsecurity.com Blog

 

Voice over IP, also known as VoIP, is quickly growing in popularity. Organizations are initially attracted to this relatively new technology because of its lower per call costs when compared to traditional voice services.  But they soon realize that VoIP provides additional value.

1. Unified messaging, though still in its infancy, is introduced into the enterprise.  Users can listen to their email and access their voice mail through their email.
2. Applications can deliver company data directly to the phone display.
3. VoIP runs on an organization’s data network, eliminating the need for a separate infrastructure just for voice.
4. Moving end-user phone service to a different desk or office is as simple as plugging the existing IP phone into a network jack at the new location.

Like most emerging technologies, there’s a catch.  As an IT department integrates VoIP into a company network, it encounters new security challenges.

1. Traditional network hackers have a new set of applications and protocols to scan for vulnerabilities  – vulnerabilities that provide easy access into converged data and voice networks.
2. Since VoIP relies on the TCP/IP suite of protocols, voice now becomes vulnerable to tried and true TCP/IP exploits.

I’ve posted links to resources below that provide detail about what you face if you decide to implement VoIP.  These resources include an Excel spreadsheet to use as a quick reference to help you or your IT staff think through the VoIP security analysis process.  So let’s just take a high-level look at some  common security challenges.

1. Preventing physical access to the IP infrastructure is as important to securing VoIP as it is to securing your current data network.  If an attacker can’t get to your network wire, he’ll have a hard time gathering data necessary to compromise your network or your business.  Keep all network devices, like routers, switches, and hubs, in locked locations.  A new physical vulnerability introduced by IP phones is the integrated switching capability inherent in many models.  Anyone can jack into your network by plugging a drop cable into the back of an IP phone.  Without going into too much detail here, I’ll just say that you need to work with your network engineering and voice teams to either disable the phone integrated switches, or configure the switches to reside on a virtual network that is separate from your data network.  You’ve probably spent significant resources securing your data network; don’t punch holes in your defenses by adding hundreds of switch ports with physical access to your business critical applications. 
2. A problem not unique to VoIP is eavesdropping.  This becomes a problem if your physical access controls fail.  Placing a network sniffing device on your voice network, an attacker can obtain user account information, PINs, and passwords related to your phone system.  She can also gather IP packets for one of more phone conversations.  Later, she can piece the packets together to listen to business phone conversations.  For organizations regulated by HIPAA, this can lead to a serious compliance violation.
3. Denial of service attacks now become a threat for your voice services.  Attacks against SIP, the VoIP signalling protocol, can put voice services into overdrive – preventing users from making or receiving calls.
4. VoIP infrastructure is vulnerable to malware infection.  The same attacks originating from the Internet or from a user workstation can spread to your voice systems.

These are just four of the many security considerations related to VoIP.  But before you start locking down your voice network, consider the impact security has on voice quality.  For call quality over VoIP to equal that provided by traditional voice services, the total packet latency between end points cannot exceed 150 ns.  Each time you add a firewall, encryption, or other security safeguard, you add to the latency inherent in just passing the packet over your network.  It doesn’t take long to reach 150 ns.  Like all security activities, securing VoIP requires a balance between security and usability.

I’d like to close this entry with a list of best practices for managing a secure VoIP implementation.  This list is from an  October 2005 Information Security magazine article by Jeff Stutzman. 

1. Strategize
2. Assess the current infrastructure
3. Engineer the solution
4. Outline network operations
5. Prepare for outages
6. Train yourself and your users

A link to the complete article, with details for each of the tasks listed, is located in the Sources section below.

Implementing VoIP will likely become mandatory for businesses cutting costs to remain competitive.  But managers must ensure they do not weaken their network infrastructures in the rush to improve the bottom line.

Author:  Tom Olzak 

Sources:

Jeff Stutzman Article – Security Hang-ups

IP Telephony Security, Parts I and II

NIST SP 800-58, Security Considerations for Voice Over IP Systems

Resources:

VoIP Quick Reference

Your email:  
subscribe unsubscribe  

 

This entry was posted on Friday, January 27th, 2006 at 1:05 pm and is filed under All, Security Management Tips. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.